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Polytope  Codes  Against  Adversaries  in  Networks 

Oliver  Kosut,  Lang  Tong,  and  David  Tse 


Abstract — Network  coding  is  studied  when  an  unknown  subset 
of  nodes  in  the  network  is  controlled  by  an  adversary.  To 
solve  this  problem,  the  class  of  polytope  codes  is  introduced. 
Polytope  codes  are  linear  codes  operating  over  bounded  polytopes 
in  real  vector  fields.  The  polytope  structure  creates  additional 
complexity,  but  it  induces  properties  on  marginal  distributions 
of  code  vectors  so  that  validities  of  codewords  can  be  checked  by 
internal  nodes  of  the  network.  It  is  shown  that  a  cut-set  bound  for 
a  class  planar  networks  can  be  achieved  by  the  polytope  codes. 
It  is  also  shown  that  this  cut-set  bound  is  not  always  tight,  and 
a  tighter  bound  is  given  for  an  example  network. 

I.  Introduction 

Network  coding  allows  routers  in  a  network  to  execute 
possibly  complex  codes  in  addition  to  mere  forwarding;  it 
has  been  shown  that  allowing  them  to  do  so  can  increase 
throughput  [1],  However,  taking  advantage  of  this  use  of  cod¬ 
ing  at  internal  nodes  means  that  the  sources  and  destinations 
must  rely  on  other  nodes — nodes  they  may  not  have  complete 
control  over — to  reliably  perform  certain  functions.  If  these 
internal  nodes  do  not  perform  the  function  correctly,  or,  worse, 
maliciously  attempt  to  subvert  the  goals  of  the  users,  launching 
a  so-called  Byzantine  attack  [2],  [3],  standard  network  coding 
techniques  fail. 

Suppose  an  omniscient  adversary  controls  an  unknown 
portion  of  the  network,  and  may  arbitrarily  corrupt  the  values 
sent  on  certain  links.  We  wish  to  determine  how  the  size  of 
the  adversarial  part  of  the  network  influences  the  capacity. 
If  the  adversary  may  control  any  z  unit-capacity  edges  in  the 
network,  then  it  has  been  shown  that,  for  the  multicast  problem 
(one  source  and  many  destinations),  the  capacity  reduces  by  2 z 
compared  to  the  non-Byzantine  problem  [4],  [5].  To  achieve 
this  rate,  only  linear  network  coding  is  needed.  Furthermore, 
if  there  is  just  one  source  and  one  destination,  only  routing  is 
needed  at  internal  nodes. 

The  above  model  assumes  that  any  set  of  2  edges  may 
be  adversarial,  which  may  be  overly  pessimistic  depending 
on  the  situation.  If  the  adversary  cuts  a  certain  number  of 
transmission  lines  in  a  network,  this  would  be  a  reasonable 
model.  If,  on  the  other  hand,  the  adversary  seizes  a  single 
router,  it  will  control  the  values  on  all  links  connected  to 
that  router;  the  number  of  these  links  may  vary  in  number 
depending  on  which  router  is  attacked.  It  is  easy  to  construct 
examples  (see  [6])  for  which  allowing  the  adversary  to  control 
any  set  of  2  edges  results  in  a  much  lower  throughput  than 
allowing  them  only  to  control  2  edges  if  they  all  emerge 
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from  the  same  node.  It  is  therefore  reasonable  to  consider 
the  problem  of  the  adversary  controlling  any  set  of  2  nodes, 
as  we  do  in  this  paper. 

A.  Related  Work 

Byzantine  attacks  on  network  coding  were  first  studied 
in  [7],  which  looked  at  detecting  adversaries  in  a  random 
linear  coding  environment.  The  2  unit-capacity  edge  adversary 
problem  was  solved  theoretically  in  [4],  [5].  In  [8],  the  same 
problem  is  studied,  providing  distributed  and  low  complexity 
coding  algorithms  to  achieve  the  same  asymptotically  optimal 
rates.  In  addition,  [8]  looks  at  two  adversary  models  slightly 
different  from  the  omniscient  one  considered  in  [4],  [5]  and 
in  this  paper.  They  show  that  higher  rates  can  be  achieved 
under  these  alternate  models.  In  [9],  a  more  general  view  of 
the  adversary  problem  is  given,  whereby  the  network  itself  is 
abstracted  into  an  arbitrary  linear  transformation. 

Network  coding  under  Byzantine  attacks  that  are  more 
general  than  the  simple  edge-based  model  was  first  studied  in 
[6]  and  [12],  The  former  studied  node-based  attacks  by  means 
of  several  examples,  and  the  latter  looked  at  the  problem  of 
edge-based  attacks  when  the  edges  could  have  unequal  capac¬ 
ities.  This  problem  was  found  to  have  similar  complications 
to  the  node-based  problem.  Both  found  that  linear  coding 
is  suboptimal,  and  that  simple  nonlinear  operations  used  to 
augment  a  linear  code  can  improve  throughput.  It  is  shown  in 
[13]  that  the  node -based  problems  subsumes  even  the  unequal 
edge  problem. 

All  of  these  works,  in  addition  to  ours,  seek  to  correct  for 
the  adversarial  errors  at  the  destination.  An  alternative  strategy 
known  as  the  watchdog,  studied  for  wireless  network  coding  in 
[10],  is  for  nodes  to  police  downstream  nodes  by  overhearing 
their  messages  to  detect  modifications.  In  [11],  a  similar 
approach  is  taken,  and  they  found  that  nonlinear  operations 
similar  to  ours  can  be  helpful,  in  which  comparisons  are  made 
to  detect  errors. 

B.  Main  Results 

The  primary  contribution  of  the  present  paper  is  to  elab¬ 
orate  the  theory  of  polytope  codes,  originally  introduced  in 
[6]  under  the  less  descriptive  term  “bounded-linear  codes”. 
Polytope  codes  make  use  of  probability  distributions  defined 
over  polytopes  in  real  vector  fields.  The  main  innovation  of 
these  distributions  is  that  it  they  possess  properties  having  to 
do  with  constraints  against  their  marginal  distributions.  This 
property  is  stated  and  proved  is  Section  V,  and  it  allows 
more  effective  checks  at  internal  nodes  in  a  network;  these 
checks  either  detect  and  correct  adverserial  actions  or  force 
adversaries  to  act  properly. 


Polytope  codes  are  used  to  prove  that  the  cut-set  bound, 
stated  in  Section  III,  is  tight  for  a  certain  class  of  planar 
networks.  Planarity  requires  that  the  graph  can  be  embedded  in 
a  plane  such  that  intersections  between  edges  occur  at  nodes. 
This  allows  additional  comparisons  that  might  otherwise  not 
be  present,  allowing  the  code  to  more  well  defeat  Byzantine 
attacks. 

Finally,  we  show  in  Section  VIII  that  the  cut-set  bound  is 
not  always  tight,  by  giving  an  example  with  a  tighter  bound. 

II.  Problem  Formulation 

Let  (V,  E)  be  an  directed  acyclic  graph.  For  each  edge 
e  G  E,  there  is  an  edge  capacity  ce,  which  we  assume  to 
be  an  integer.  One  node  in  V  is  denoted  S,  the  source,  and 
one  is  denoted  D,  the  destination.  We  wish  to  determine  the 
maximum  achievable  throughput  from  S  to  D  when  any  set 
of  z  nodes  in  V  \  {5,  D }  are  traitors',  i.e.  they  are  controlled 
by  the  adversary.  Given  a  rate  R  and  a  block-length  n,  the 
message  W  is  chosen  at  random  from  the  set  {1, . . .  ,2nR}. 
Each  edge  e  holds  a  value  Xe  G  {1, . . . ,  2nCej. 

A  code  is  be  made  up  of  three  components: 

1)  an  encoding  function  at  the  source,  which  produces  val¬ 
ues  to  place  on  all  the  output  edges  given  the  message, 

2)  a  coding  function  at  each  internal  node  i  G  V  \  {5,  D}, 
which  produces  values  to  place  on  all  output  edges  from 
i  given  the  values  on  all  input  edges  to  i, 

3)  and  a  decoding  function  at  the  destination,  which  pro¬ 
duces  an  estimate  W  of  the  message  given  the  values 
on  all  input  edges. 

Suppose  T  C  V  \  {S',  D}  with  |T|  =  z  is  the  set  of  traitors. 
They  may  subvert  the  coding  functions  at  nodes  i  €  T  by 
placing  arbitrary  values  on  all  the  output  edges  from  these 
nodes.  Let  Zt  be  the  set  of  values  on  these  edges.  For  a 
particular  code,  specifying  the  message  W  as  well  as  Zt 
determines  exactly  the  values  on  all  edges  in  the  network, 
in  addition  to  the  destination’s  estimate  W.  We  say  that  a 
rate  R  is  achievable  if  there  exists  a  code  operating  at  that 
rate  with  some  block-length  n  such  that  for  all  messages,  all 
sets  of  traitors  T,  and  all  values  of  Zt,  W  =  W .  That  is, 
the  destination  always  decodes  correctly  no  matter  what  the 
adversary  does.  Let  the  capacity  C  be  the  supremum  over  all 
achievable  rates. 

III.  Cut-Set  Upper  Bound 

Theorem  1:  Consider  a  cut  A  C  V  with  S  G  A  and  l)  (f-_  A. 
Let  Ea  be  the  set  of  edges  that  cross  the  cut.  For  two  not 
necessarily  disjoint  sets  of  possible  traitors  7j .  7 2,  let  E-\  and 
E2  be  the  subset  of  edges  in  Ea  that  originate  at  nodes  in  Tj 
and  7  2  respectively.  Let  E  be  the  set  of  edges  in  E\  IT  If  in 
addition  to  all  edges  e  G  E\  U  E2  for  which  there  is  no  path 
that  flows  through  e  followed  by  any  edge  in  Ea\Ei  \E2-  The 
following  upper  bound  holds  on  the  capacity  of  the  network: 

c<  c-  a) 

e£E  a\E 

Proof:  A  version  of  this  theorem  was  proved  in  [6] .  The 
proof  follows  along  the  lines  of  the  Singleton  bound.  ■ 


The  corresponding  cut-set  bound  when  an  arbitrary  2  unit- 
capacity  edges  can  be  modified  by  the  adversary  was  proved 
in  [4],  In  [12],  it  was  conjectured  (for  the  edge  adversary 
problem  with  unequal  capacities)  that  the  cut-set  bound  (stated 
more  in  the  more  general  form  than  that  in  [4],  but  essentially 
the  same  as  Theorem  1)  is  not  tight.  We  prove  in  Sec.  VIII 
that  the  cut-set  bound  stated  in  Theorem  1  is  not  tight  in 
general.  The  example  used  to  demonstrate  this,  though  it  is 
a  node  adversary  problem,  can  be  easily  modified  to  confirm 
the  conjecture  stated  in  [12], 

IV.  Capacity  of  A  Class  of  Planar  Networks 

Theorem  2:  Let  ( V.  E)  be  a  network  with  the  following 
properties: 

1)  It  is  planar. 

2)  No  node  other  than  the  destination  has  more  than  two 
unit-capacity  input  edges  (i.e.  either  one  2-capacity  edge 
or  two  unit-capacity  edges). 

3)  No  node  other  than  the  source  has  more  output  capacity 
than  input  capacity. 

If  2  =  1,  cut-set  bound  is  tight  for  this  network. 

Proof:  Omitted  due  to  space  limitation.  See  [13].  Sec¬ 
tion  VI  illustrates  the  proof  for  an  example,  and  Section  VII 
briefly  sketches  how  planarity  is  used.  ■ 

The  key  ingredient  in  the  proof  of  the  above  theorem  is 
the  use  of  a  new  class  of  codes  referred  to  as  Polytope  Codes, 
introduced  next  in  Sec.  V.  Polytope  codes  are  nonlinear  codes, 
but  they  are  not  drastically  different  from  linear  codes;  they 
are  linear  codes  defined  on  polytopes  in  real  field.  The  proof 
of  the  above  theorem  seems  to  suggest  that  the  cut-set  bound 
may  be  tight  for  a  much  larger  class  of  networks.  Indeed, 
we  conjecture  that  this  theorem  can  be  generalized,  and  that 
polytope  codes  achieve  capacity  for  all  planar  networks  and 
all  2. 

Fig.  1  shows  an  example  of  a  network  that  satisfies  the 
conditions  of  Theorem  2.  Thus  the  capacity  of  this  network 
(achieved  by  a  polytope  code)  is  4.  If  only  linear  codes  are 
allowed,  the  maximum  achievable  rate  is  3  (see  [6]  for  a 
proof  of  a  similar  fact).  The  polytope  code  used  to  prove 
achievability  is  discussed  in  detail  in  Section  VI. 

V.  The  Polytope  Code 

We  begin  with  a  simple  example  of  the  distribution  under¬ 
lying  the  polytope  code.  For  some  positive  integer  k,  consider 
the  set  of  X ,  Y,  Z,  W  G  {—k, . . . ,  k}  satisfying 

X  +  Y  +  Z  =  0  (2) 

3X  —  Y  +  2W  =  0.  (3) 

This  is  the  set  of  integer  lattice  points  in  a  polytope.  Let  the 
distribution  p(xyzw)  be  uniform  over  these  points.  The  region 
of  (X,  Y)  pairs  with  positive  probability  is  shown  in  Fig.  2. 
Observe  that  even  though  X  and  Y  are  linearly  independent 
in  the  subspace  given  by  (2)-(3),  they  are  not  statistically 
independent,  because  the  boundedness  of  Z  and  W  requires 
that  X  and  Y  satisfy  certain  linear  inequalities.  Nevertheless, 


Fig.  1 .  An  example  planar  network.  All  nodes  may  be  traitors,  and  all  edges 
have  capacity  1.  The  specification  of  a  capacity-achieving  polytope  code  is 
given. 


Fig.  2.  An  example  poly  tope  projected  into  the  (X,Y)  plane. 


the  area  of  the  polygon  shown  in  Fig.  2  grows  as  0(k2). 
Hence, 


lim 

k—f  oo 


H(XY) 
log  k 


=  2. 


(4) 


Note  also  that 


lim 

k — yoo 


H{X) 

logfc 


r  t 

Inn  - - -  =  1. 

k — yoo  log  rC 


(5) 


Therefore,  for  large  k,  X  and  Y  are  nearly  independent  in 
that  their  joint  entropy  is  close  to  the  sum  of  the  individual  en¬ 
tropies.  The  four  variables  X,  Y.  Z.  W  make  up  something  like 
a  (4, 2)  MDS  code,  in  that  each  pair  is  close  to  independent 
for  large  k,  and  any  two  completely  determine  the  other  two. 
These  distributions  over  polytopes  can  be  made  to  perform 
many  of  the  same  functions  as  standard  linear  variables  defined 
over  finite  fields. 

More  generally,  given  a  matrix  F  G  Z“xm,  consider  the 
polytope 


{x  G  Zm  :  Fx  =  0,  \xi\  <  k  for  i  =  1, . . . ,  m}.  (6) 


We  may  also  describe  this  polytope  in  terms  of  a  matrix 
K  whose  columns  form  a  basis  for  the  null-space  of  F. 
Let  p(x)  be  a  uniform  distribution  over  this  polytope.  In  a 
polytope  code,  each  codeword  is  a  sequence  xn  with  joint 
type  equal  to  p{x).  Each  edge  in  the  network  holds  a  sequence 


x]'  .  The  following  lemma  generalizes  the  entropy  calculations 
performed  above. 

Lemma  1:  According  to  p{x),  for  any  S  C  {1, . . . ,  m} 

lim  =  rank(ATs)  (7) 

k—> oo  log  /C 

where  K$  is  the  matrix  made  up  of  the  rows  of  I\  correspond¬ 
ing  to  the  elements  of  S. 

Recall  that  in  a  linear  code  operating  over  the  finite  field  F, 
we  may  express  the  elements  on  the  edges  in  a  network  x  G 
Fm  as  linear  combinations  of  the  message  x  =  Kw,  where 
I\  is  a  linear  transformation  over  the  finite  field,  and  w  is  the 
message  vector.  Taking  a  uniform  distribution  on  w  imposes 
a  distribution  on  X  such  that  H(X$ )  =  rank(A'g)  log  |F| . 
This  differs  from  (7)  only  by  a  constant  factor,  and  also  that 
(7)  holds  only  in  the  limit  of  large  k.  Hence,  polytope  codes 
achieve  a  similar  set  of  entropy  profiles  as  linear  codes. 

In  a  polytope  code,  every  node  in  the  network  observes 
several  sequences  a;”,  from  which  it  may  determine  their 
joint  type.  It  will  check  whether  the  joint  type  matches  the 
corresponding  distribution  from  p,  and  forward  a  bit  specifying 
whether  it  does  along  all  its  outgoing  edges.  In  addition,  all 
nodes  will  continue  forwarding  these  comparison  bits  all  the 
way  to  the  destination.  The  number  of  these  bits  is  determined 
only  by  the  size  of  the  network,  so  they  occupy  an  arbitrarily 
small  amount  of  link  capacity  as  n  grows.  These  comparisons 
force  a  traitor  to  make  a  choice:  it  causes  the  comparison  to 
fail,  which  may  give  away  its  location,  or  it  is  constrained  so 
that  the  comparison  pass.  The  following  theorem  allows  us  to 
analyze  how  these  constraints  influence  the  traitors’  actions. 

Theorem  3  (Fundamental  Property  of  Polytope  Codes): 

Let  p(x)  be  a  probability  distribution  for  x  G  {— k, . . . ,  k}m 
such  that  p(x)  >  0  only  if  Fx  =  0.  For  another  distribution 
q(x)  on  the  same  space  subject  to 

q(Atx)  =p(Atx)  for  l  =  (8) 


where  Ai  G  R"lXm,  q  must  be  identical  to  p  if  the  following 
properties  of  F  and  the  A;  hold: 

1)  There  exists  a  positive  definite  matrix  C  such  that 

FTCF  =  J2YZiAl  (9) 

i=i 

for  some  S;  G  M“iX“L 

2)  There  exists  an  l*  such  that  the  value  of  A/*  x  uniquely 
determines  x  subject  to  Fx  =  0.  That  is,  the  matrix 

Ai * 

has  full  column  rank. 

F 

Proof:  By  (8),  for  all  l  and  all  y  G  {— k , . . . ,  k}u‘, 

F  pW  (10) 

x:Aix=y  x:Aix=y,Fx= 0 

where  we  have  used  the  fact  that  p(x)  is  only  positive  if  Fx  = 
0.  Multiplying  (10)  by  yTT,iy  and  summing  over  all  y  and  all 
l ,  then  applying  (9),  yields 

^^[xT FT C F x]q(x)  =  ^  [xT FTCFx]p(x).  (11) 

x  x:Fx= 0 


Observe  that  xT FT CFx  is  0  if  Fx  =  0  and  positive  if  Fx  ^ 
0,  because  C  is  positive  definite.  Therefore  the  right  hand  side 
of  (11)  is  0,  and  the  left  hand  side  is  a  linear  combination  of 
{q(x)  :  Fx  ^  0}  with  strictly  positive  coefficients.  Therefore 
q(x)  =  0  if  Fx  ^  0. 

Now  we  make  use  of  the  property  (2).  For  any  x  £ 
{—k, . . . ,  k}m  with  Fx  =  0,  we  may  rewrite  (10)  for  l*  as 

<i(x')  =  £(*')•  (12) 

x':Ai*  x'—Ai*x,Fx'—0  x' :Ai*  x'—Ai*  x,Fx'— 0 

But  observe  that  Ai*x'  =  Apx  and  Fx'  =  0  imply  that  x'  = 
x.  That  is,  there  is  only  one  term  in  the  summation.  Hence, 

q(x)  =  p(x)  for  all  x.  ■ 

VI.  Application  of  Polytope  Codes  Against 
Adversary  Nodes 

Consider  the  example  in  Fig.  1,  shown  with  a  routing 
scheme  for  a  polytope  code  that  we  will  show  achieves  the 
cut-set  bound  of  4  with  one  traitor.  In  Fig.  1,  variables  X±— 
comprise  the  polytope  code  equivalent  of  an  (8,4)  MDS 
code.  That  is,  the  matrix  F  imposing  constraints  on  the  Vs 
is  such  that  any  four  variables  are  linearly  independent,  and 
determine  the  other  four.  Recall  that  each  of  these  variables 
represents  a  sequence  x"  transmitted  across  the  respective  link 
so  that  (x", . . . , Xg)  has  joint  type  equal  to  p(x i  •  •  •  xg),  and 
each  message  is  associated  with  one  such  joint  sequence.  In 
addition  to  these  sequences,  comparison  bits  are  generated  and 
sent  through  the  network,  as  discussed  above. 

To  decode,  the  destination  first  compiles  a  list  £  C  V  of 
which  nodes  may  be  the  traitor.  It  does  this  by  taking  all 
its  available  data:  received  comparison  bits  as  well  as  the 
x"  sequences  it  has  access  to,  and  determines  whether  it  is 
possible  for  each  node,  if  it  were  the  traitor,  to  have  acted  in  a 
way  to  cause  these  data  to  occur.  If  so,  it  adds  that  node  to  £. 
For  example,  if  the  comparison  bit  from  node  8  reports  that 
the  distribution  of  X 2  and  Xg  did  not  match  p,  then  the  traitor 
must  be  a  node  that  can  influence  one  of  those  two  symbols; 
i.e.  £  C  {1,  3, 5,  6, 8}.  Observe  that  the  true  traitor  is  in  £. 

Depending  on  £,  the  destination  choses  which  variables 
to  decode  from.  Any  traitor  action  leads  to  some  £,  so  it 
is  comprehensive  to  consider  all  values  for  £.  If  £  =  1, 
then  this  single  node  must  be  the  traitor,  so  the  destination 
can  simply  disregard  all  symbols  that  came  into  contact  with 
that  node  (there  are  at  most  2)  and  decode  the  message  from 
the  rest.  Now  consider  the  case  that  |£|  >2.  Say  node  i  is 
the  traitor,  and  j  £  £,  j  ^  i.  This  places  certain  constraints 
on  the  behavior  of  node  i  that  we  may  exploit.  The  following 
lemma  allows  us  to  conclude  that  the  code  is  effective. 

Lemma  2:  If  node  i  is  the  traitor,  but  j  £  £,  then  i  could 
only  have  corrupted  variables  that  are  also  touched  by  node  j. 

By  Lemma  2,  the  destination  can  ignore  variables  touched 
by  all  nodes  in  £  and  decode  from  the  rest.  For  example, 
suppose  node  3  is  the  traitor  and  node  6  is  in  £.  The  only 
symbol  node  3  may  have  corrupted  is  Xg,  so  the  destination 
may  decode  from  the  rest. 

To  prove  Lemma  2,  in  principle  one  needs  to  check  the 
condition  for  all  pairs  i  and  j.  We  illustrate  the  argument  for 


one  pair;  generalization  is  not  hard.  Suppose  that  node  3  is 
the  traitor  and  it  acts  such  that  it  appears  to  the  destination 
that  node  2  may  be  the  traitor.  Because  node  2  and  node 
3  do  not  share  any  symbols,  we  wish  to  show  that  node  3 
cannot  transmit  to  nodes  6  and  7  anything  but  the  true  values 
of  Xg  and  Xg  respectively.  Let  g(xi  •  •  •  xg)  be  the  empirical 
type  of  the  sequences  sent  through  the  network,  where  it  may 
be  different  from  p  if  node  3  has  changed  Xg  or  Xg.  The 


following  conditions  hold  on  q: 

q{x1X2X7Xg)  =  p{x1X2jX7Xg),  (13) 

q{x  2X5)  =  p{x2x5),  (14) 

q{xgx7)=p{x,  6X7),  (15) 

q(x1xgxgxg)  =  p{x1xgxgxg).  (16) 


Condition  (13)  holds  because  Xi,  X2,  X7,  Xg  cannot  be  in¬ 
fluenced  by  node  3,  so  they  retain  their  true  values.  Condition 
(14)  holds  because  if  it  did  not,  node  5,  which  observes  X2 
and  Xg,  would  detect  it,  and  forward  the  information  to  the 
destination.  Since  node  2  cannot  influence  X2  or  Xg,  this 
would  remove  2  from  £.  Similarly,  (15)  holds  because  Xg,  X7 
are  compared  at  node  7.  Finally,  if  (16)  did  not  hold,  then  the 
destination  could  tell  that  node  2  was  not  the  traitor,  because 
Xi,  Xg,  Xg,  Xg  are  untouched  by  node  2. 

We  wish  now  to  apply  (13)— (16)  to  Theorem  3  to  conclude 

q(x  ix2x5xgx7xg)  =p(x  ix2x5xgx7xg).  (17) 

This  is  enough  to  show  that  Xg  and  Xg  cannot  be  corrupted 
by  node  3,  because  under  p,  X\,X2,X7,Xg  determine  Xg 
and  Xg,  so  they  must  do  so  in  exactly  the  same  way  under 
q.  We  must  now  check  that  (13)— (16)  satisfy  the  conditions 
of  Theorem  3.  The  second  condition  can  be  satisfied  by 
choosing  l*  to  correspond  to  either  (13)  or  (16),  since  they  both 
involve  four  variables,  and  by  construction  any  four  variables 
determine  the  rest.  Satisfying  the  first  condition  is  not  so  easy: 
there  exist  S /  matrices  such  that  the  right  hand  side  of  (8)  can 
be  made  to  be  any  matrix  whose  entries  corresponding  to  the 
pairs  (X2,Xg)  and  (Xg,X7)  are  zero,  because  these  pairs 
never  exist  simultaneously  in  any  of  (13)— (16).  This  places 
two  linear  constraints  C.  Observe  that  C  is  2  x  2,  since  the 
six  variables  are  subject  to  two  linear  constraints.  It  can  be 
shown  that  there  exists  a  positive  definite  C  iff 

1^1,2,7,81  1^1,5,6,81  | 1 ,2,5,8 1  |^1,7,6,8|  <  0  (18) 

Observe  that  in  order  for  Xi-Xg  to  be  the  equivalent  of  an 
(8,4)  MDS  code,  each  of  the  determinants  in  (18)  must  be 
nonzero;  here  we  see  that  we  must  design  the  code  being 
aware  of  the  signs  of  these  determinants  as  well  as  that  they 
be  nonzero.  It  is,  however,  possible  to  design  K  to  satisfy  (18). 
This  concludes  our  proof  of  Lemma  2  for  i  =  3  and  j  -  2. 

VII.  Planar  Networks 

We  briefly  sketch  how  the  arguments  in  Section  VI  can  be 
extended  to  prove  Theorem  2.  We  need  to  generate  a  routing 
scheme  for  an  arbitrary  network,  then  prove  a  more  general 
form  of  Lemma  2.  The  key  observation  in  order  to  do  this  in 
general  is  that  the  important  comparisons  that  go  on  inside  the 
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Fig.  3.  A  network  with  capacity  strictly  less  than  the  cut-set  bound. 

network  are  those  that  involve  a  variable  that  does  not  reach 
the  destination  (e.g.  (14)  and  (15)  involve  X2  and  Xy).  This 
is  because  those  symbols  that  do  reach  the  destination  can 
be  examined  there,  so  further  comparisons  inside  the  network 
do  not  add  anything.  Therefore  the  key  routing  problem  is  to 
carefully  design  the  paths  of  these  non-destination  symbols  to 
maximize  the  utility  of  their  comparisons.  In  particular,  we 
design  these  paths  so  that,  as  much  as  possible,  for  a  node 
having  one  direct  edge  to  the  destination  and  one  other  output 
edge,  the  output  edge  not  going  to  the  destination  holds  a 
non-destination  variable.  The  advantage  of  this  is  that  any 
variable,  before  exiting  the  network,  is  guaranteed  to  cross 
a  non-destination  variable  at  a  node  where  the  two  variables 
may  be  compared,  but  this  routing  requirement  may  not  be 
possible  if  the  network  is  not  planar. 

VIII.  Looseness  of  the  Cut-set  Bound 

We  show  that  the  cut-set  bound  given  in  Theorem  1  is  not 
tight.  We  do  this  in  two  parts.  First,  consider  the  problem 
that  a  special  subset  of  nodes  are  designated  as  potential 
traitors,  and  the  code  must  guard  against  adversarial  control 
of  any  2  of  those  nodes.  We  refer  to  this  as  the  limited- 
node  problem.  Certainly  the  limited-node  problem  subsumes 
the  all-node  problem,  since  we  may  simply  take  the  set  of 
potential  traitors  to  be  all  nodes.  Furthermore,  it  subsumes 
the  unequal-edges  problem  studied  in  [12],  because  given  an 
instance  of  the  unequal-edge  problem,  an  equivalent  limited- 
node  problem  can  be  constructed  as  follows:  create  a  new 
network  with  every  edge  replaced  by  a  pair  of  edges  of  equal 
capacity  with  a  node  between  them.  Then  limit  the  traitors  to 
be  only  these  interior  nodes.  It  can  be  shown  (see  [13])  that  the 
all-node  problem  actually  subsumes  the  limited-node  problem. 
This  is  done  by  constructing  all-node  problems  equivalent  to 
a  limited-node  problem.  Next  we  give  an  an  example  of  a 
limited-node  network  for  which  there  is  an  active  upper  bound 
on  capacity  tighter  than  the  cut-set.  This  proves  that,  even  for 
the  all-node  problem,  the  cut-set  bound  is  not  tight. 

Consider  the  network  shown  in  Figure  VIII.  All  edges  have 
capacity  one,  and  there  is  at  most  one  traitor,  but  it  is  restricted 
to  be  one  of  the  black  nodes.  The  cut-set  bound  is  2,  but  in 
fact  the  capacity  is  no  more  than  1.5. 

Consider  a  code  achieving  rate  R.  For  i  =  1,2, 3, 4,  let  X, 
be  the  random  variable  representing  the  value  on  the  output 
edge  of  node  i.  Let  Y  be  the  value  on  edge  (9,  D)  and  let  Z  be 


the  value  on  (10,  D).  Let  p  be  the  honest  distribution  on  these 
variables,  and  define  the  following  alternative  distributions: 


93  =  p{x1X2X4:)p{X3)p(y\x1X2X3)p(z\X3X4),  (19) 

94  =  p{XiX2X3)p{X4)p(y\XiX2X3)p{z\X3X4).  (20) 

If  node  3  or  node  4  is  the  traitor,  they  may  induce  these 
distributions.  Therefore 

R<Iq3(X1X2X4-,YZ),  (21) 

R<IqAXiX2X3-,YZ).  (22) 


Observe  that  g3 (2:3X42)  =  g4(x3X42),  meaning  any  joint 
entropy  made  up  of  these  three  variables  is  the  same  for  each 
distribution.  Using  this  fact,  (21),  (22),  that  all  edges  have 
capacity  1,  and  standard  information  theoretic  inequalities,  one 
can  conclude  that  R  <  1.5. 

IX.  Conclusion 

The  main  contribution  of  this  paper  has  been  to  introduce 
the  theory  of  polytope  codes.  As  far  as  we  know,  they  are  the 
best  known  coding  strategy  to  defeat  generalized  Byzantine 
attacks  on  network  coding.  However,  it  remains  difficult  to 
calculate  the  best  possible  rate  they  can  achieve  for  a  given 
network.  We  have  proved  that  they  achieve  the  cut-set  bound, 
and  hence  the  capacity,  for  a  class  of  planar  graphs,  and 
we  conjecture  that  this  holds  for  all  planar  graphs.  One 
would  obviously  hope  to  find  the  capacity  of  all  networks, 
including  non-planar  ones.  We  have  shown  that  achieving  the 
cut-set  bound  is  not  always  possible,  meaning  there  remains 
significant  work  to  do  on  upper  bounds  as  well  as  achievable 
schemes.  Whether  polytope  codes  can  achieve  capacity  on  all 
networks  remains  an  important  open  question. 
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